Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 2031 to Favourites
    image text
    Enable zoom 
    							 366 
# Enable the checking of the MAC addresses and IP addresses of ARP packets. 
[SwitchB] arp detection validate dst-mac ip src-mac 
# Configure port isolation. 
[SwitchB] interface gigabitethernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] port-isolate enable 
[SwitchB-GigabitEthernet1/0/1] quit 
[SwitchB] interface gigabitethernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] port-isolate enable 
[SwitchB-GigabitEthernet1/0/2] quit 
After the preceding configurations are comp lete, ARP packets received on interfaces 
GigabitEthernet 1/0/1 and GigabitEthernet 1/ 0/2 have their MAC and IP addresses checked 
first, and then are checked against the static IP source guard binding entries and finally DHCP 
snooping entries. However, ARP broadcast requests sent from Host A can pass the check on 
Switch B and reach Host B. Port isolation fails. 
# Configure ARP restricted forwarding. 
[SwitchB] vlan 10 
[SwitchB-vlan10] arp restricted-forwarding enable 
[SwitchB-vlan10] quit 
After the configuration, Switch B forwards ARP  broadcast requests from Host A to Switch A 
through the trusted port GigabitEthernet 1/0/3, an d thus Host B cannot receive such packets. Port 
isolation works normally.  
Configuring ARP automatic  scanning and fixed ARP 
ARP automatic scanning is usually used together with the fixed ARP feature. 
With ARP automatic scanning enabled on an interface, the device automatically scans neighbors on the 
interface, sends ARP requests to the neighbors, obtains their MAC addresses, and creates dynamic ARP 
entries. 
Fixed ARP allows the device to change the existi ng dynamic ARP entries (including those generated 
through ARP automatic scanning) into static ARP entr ies. The fixed ARP feature effectively prevents ARP 
entries from being modified by attackers. 
HP recommends that you use ARP automatic scanning  and fixed ARP in a small-scale network such as a 
cybercafe. 
Configuration guidelines 
Follow these guidelines when you configure ARP automatic scanning and fixed ARP: 
•   IP addresses existing in ARP entries are not scanned. 
•   ARP automatic scanning may take some time. To stop an ongoing scan, press  Ctrl + C . Dynamic 
ARP entries are created based on ARP replies received before the scan is terminated. 
•   The static ARP entries changed from dynamic ARP en tries have the same attributes as the manually 
configured static ARP entries.  
•   Use the  arp fixup  c o m m a n d  to  ch a n g e  t h e  exi s t i n g  dyn a m ic  A R P  e ntries  i nto  s ta t ic  A R P  e nt ries.  You  
can use this command again to change the dyna mic ARP entries learned later into static ARP 
entries.
    Add page 2032 to Favourites
    image text
    Enable zoom 
    							 367 
•  The number of static ARP entries changed from dynamic ARP entries is restricted by the number of 
static ARP entries that the device supports. As a  result, the device may fail to change all dynamic 
ARP entries into static ARP entries. 
•   To delete a specific static ARP entry changed from a dynamic one, use the  undo arp ip-address  
[  vpn-instance-name  ] command (The HP 5500 SI switch series does not support the 
vpn-instance-name  argument in the command). To delete all such static ARP entries, use the  reset 
arp all  or reset arp static command. 
Configuration procedure 
To configure ARP automatic scanning and fixed ARP:  
Step Command 
1.  Enter system view. 
system-view 
2.  Enter interface view. 
interface interface-type interface-number 
3.   Enable ARP automatic scanning. 
arp scan [ start-ip-address  to  end-ip-address  ] 
4.   Return to system view. 
quit 
5.  Enable fixed ARP. 
arp fixup 
 
Configuring ARP gateway protection 
The ARP gateway protection feature, if configured on ports not connected with the gateway, can block 
gateway spoofing attacks. 
When such a port receives an ARP packet, it checks whether the sender IP address in the packet is 
consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles the packet 
normally.  
Configuration guidelines 
Follow these guidelines when you configure ARP gateway protection: 
•   You can enable ARP gateway protection for up to eight gateways on a port. 
•   Commands  arp filter source  and arp filter binding  cannot be both configured on a port. 
•   If ARP gateway protection works with ARP dete ction and ARP snooping, ARP gateway protection 
applies first. 
Configuration procedure 
To configure ARP gateway protection:  
Step Command Remarks 
1.   Enter system view. 
system-view N/A 
2.  Enter Layer 2 Ethernet interface 
view/Layer 2 aggregate interface view.  interface 
interface-type 
interface-number   N/A
    Add page 2033 to Favourites
    image text
    Enable zoom 
    							 368 
Step Command Remarks 
3.  Enable ARP gateway protection for a 
specified gateway.  arp filter source
 ip-address   Disabled by default 
 
Configuration example 
Network requirements 
As shown in Figure 132, H ost B launches gateway spoofing attacks to Switch B. As a result, traffic that 
Switch B intends to send to Switch A is sent to Host B. 
Configure Switch B to block such attacks. 
Figure 132  Network diagram 
 
 
Configuration procedure 
# Configure ARP gateway protection on Switch B. 
 system-view 
[SwitchB] interface gigabitethernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] arp filter source 10.1.1.1 
[SwitchB-GigabitEthernet1/0/1] quit 
[SwitchB] interface gigabitethernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] arp filter source 10.1.1.1 
After the configuration is complete, Switch B will discard the ARP packets whose source IP address is that 
of the gateway.  
Configuring ARP filtering 
To prevent gateway spoofing and user spoofing, the AR P filtering feature controls the forwarding of ARP 
packets on a port. 
The port checks the sender IP and MAC addresses  in a received ARP packet against configured ARP 
filtering entries. If a match is found, the packet is  handled normally. If not, the packet is discarded.
    Add page 2034 to Favourites
    image text
    Enable zoom 
    							 369 
Configuration guidelines 
Follow these guidelines when you configure ARP filtering: 
•  You can configure up to eight ARP filtering entries on a port. 
•   Commands  arp filter source  and arp filter binding  cannot be both configured on a port. 
•   If ARP filtering works with ARP detection an d ARP snooping, ARP filtering applies first. 
Configuration procedure 
To  c o n fig u re  A R P  fi l te ri ng :   
Step Command Remarks 
1.  Enter system view. 
system-view N/A 
2.  Enter Layer 2 Ethernet interface 
view/Layer 2 aggregate interface 
view.  interface 
interface-type 
interface-number   N/A 
3.
  Configure an ARP filtering entry.  arp filter binding
 ip-address 
mac-address   Not configured by default 
 
Configuration example 
Network requirements 
As shown in 
Figure 133, the I P and MAC addresses of Host A are 10.1.1.2 and 000f-e349-1233. The IP 
and MAC addresses of Host B are 10.1.1.3 and 000f-e349-1234. 
Configure ARP filtering on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 of Switch B to permit 
specific ARP packets only.  
Figure 133  Network diagram 
 
 
Configuration procedure 
# Configure ARP filtering on Switch B.  
 system-view
    Add page 2035 to Favourites
    image text
    Enable zoom 
    							 370 
[SwitchB] interface gigabitethernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-123\
3 
[SwitchB-GigabitEthernet1/0/1] quit 
[SwitchB] interface gigabitethernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-123\
4 
After the configuration is complete, GigabitEther net 1/0/1 will permit incoming ARP packets with 
sender IP and MAC addresses as 10.1.1.2 and 000f-e349-1233, and discard other ARP packets. 
GigabitEthernet 1/0/2 will permit incoming ARP packets with sender IP and MAC addresses as 10.1.1.9 
and 000f-e349-1233 and discard other ARP packets. ARP packets from Host A are permitted, but those 
from Host B are discarded.
    Add page 2036 to Favourites
    image text
    Enable zoom 
    							 371 
Configuring ND attack defense 
Overview 
The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor 
reachability detection, duplicate address detection, router/prefix discovery and address 
autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can 
easily exploit the ND protocol to attack hosts and gateways by sending forged packets. For more 
information about the five functions of the ND protocol, see Layer 3—IP Services Configuration Guide. 
The ND protocol implements its function by  using five types of ICMPv6 messages:  
•   Neighbor Solicitation (NS) 
•   Neighbor Advertisement (NA)  
•   Router Solicitation (RS)  
•   Router Advertisement (RA)  
•   Redirect (RR) 
As shown in  Figure 134, an at
 tacker can attack a network by sending forged ICMPv6 messages: 
•   Sends forged NS/NA/RS packets with the IPv6 address of a victim host. The gateway and other 
hosts update the ND entry for the victim host with  incorrect address information. As a result, all 
packets intended for the victim host are sent to  the attacking host rather than the victim host.  
•   Sends forged RA packets with the IPv6 address of a victim gateway. As a result, all hosts attached 
to the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.  
Figure 134   ND attack diagram 
 
 
All forged ND packets have two common features:  
•  The Ethernet frame header and the source link layer address option of the ND packet contain 
different source MAC addresses.  
Switch
Host A Host B
IP_ A
MAC_ A
IP_B
MAC_B IP_C
MAC_CHost C
Forged ND packets
Forged ND packets
    Add page 2037 to Favourites
    image text
    Enable zoom 
    							 372 
•  The mapping between the source IPv6 address and the source MAC address in the Ethernet frame 
header is invalid.  
To identify forged ND packets, HP developed the source MAC consistency check and ND detection 
features.  
Enabling source MAC consistency check for ND 
packets 
Use source MAC consistency check on a gateway to filter out ND packets that carry different source 
MAC addresses in the Ethernet frame header and the source link layer address option.  
Follow these guidelines when you enable source MAC consistency check for ND packets: 
•   If VRRP is used, disable source MAC consiste ncy check for ND packets to prevent incorrect 
dropping of packets. With VRRP, the NA message always conveys a MAC address different from 
the Source Link-Layer Address option. 
•   Only the HP 5500 EI switches support VRRP. 
To enable source MAC consistency check for ND packets: 
 
Step Command Remarks 
1.   Enter system view. 
system-view N/A 
2.  Enable source MAC consistency check 
for ND packets.  ipv6 nd mac-check enable 
Disabled by default 
 
Configuring the ND detection function 
Introduction to ND detection 
Use the ND detection function on access devices to verify the source of ND packets. If an ND packet 
comes from a spoofing host or gateway, it is discarded.  
The ND detection function operates on a per VLAN basis. In an ND detection-enabled VLAN, a port is 
either ND-trusted or ND-untrusted:  
•  An ND-trusted port does not check ND packets for address spoofing.  
•   An ND-untrusted port checks all ND packets but RA and RR messages in the VLAN for source 
spoofing. RA and RR messages are consider ed illegal and are discarded directly.  
The ND detection function checks an ND packet by looking up the IPv6 static bindings table of the IP 
source guard function, ND snooping table, and DHCPv6 snooping table in the following steps:  
1.  Looks up the IPv6 static binding table of IP source guard, based on the source IPv6 address and the 
source MAC address in the Ethernet frame header of  the ND packet. If an exact match is found, the 
ND packet is forwarded. If an entry matches th e source IPv6 address but not the source MAC 
address, the ND packet is discarded. If no en try matches the source IPv6 address, the ND 
detection function continues to look up the DH CPv6 snooping table and the ND snooping table.  
2. If an exact match is found in either the DHCPv6  snooping or ND snooping table, the ND packet is 
forwarded. If no match is found in either table,  the packet is discarded. If neither the DHCPv6 
snooping table nor the ND snooping table is  available, the ND packet is discarded.
    Add page 2038 to Favourites
    image text
    Enable zoom 
    							 373 
Configuration guidelines 
Follow these guidelines when you configure ND detection: 
•  To create IPv6 static bindings with IP source guard, use the  ipv6 source binding command. For more 
information, see  Configuring IP source guard .  
•   T

he DHCPv6 snooping table is created automatically by the DHCPv6 snooping module. For more 
information, see  Layer 3—IP Services Configuration Guide .  
•   The ND snooping table is created automatically by the ND snooping module. For more information, 
see Layer 3—IP Services Configuration Guide . 
•   ND detection performs source check by using the  binding tables of IP source guard, DHCPv6 
snooping, and ND snooping. To pr event an ND-untrusted port from discarding legal ND packets in 
an ND detection-enabled VLAN, make sure that at least one of the three functions is available. 
•   When creating an IPv6 static binding with IP source guard for ND detection in a VLAN, specify the 
VLAN ID for the binding. If not, no ND packets in the VLAN can match the binding. 
Configuration procedure 
To configure ND detection:  
Step Command Remarks  
1.  Enter system view. 
system-view N/A 
2.  Enter VLAN view. 
vlan vlan-id  N/A 
3.  Enable ND Detection. 
ipv6 nd detection enable  Disabled by default.  
4.  Quit system view. 
quit N/A 
5.  Enter Layer 2 Ethernet interface view 
or Layer 2 aggregate interface view.  interface 
interface-type 
interface-number  N/A 
6.
  Configure the port as an ND-trusted 
port.  ipv6 nd detection trust Optional. 
A port does not trust sources of 
ND packets by default. 
 
Displaying and maintaining ND detection  
Task Command Remarks 
Display the ND detection 
configuration. 
display ipv6 nd detection [ |
 { begin | exclude  | 
include  } regular-expression ]   Available in any view 
Display the statistics of discarded 
packets when the ND detection 
checks the user legality. display ipv6 nd detection statistics
 [ interface 
interface-type interface-number  ] [ | { begin | 
exclude  | include  } regular-expression ]  Available in any view
 
Clear the statistics by ND 
detection.  reset ipv6 nd detection statistics
 [ interface 
interface-type interface-number  ]  Available in user view
    Add page 2039 to Favourites
    image text
    Enable zoom 
    							 374 
ND detection configuration example 
Network requirements 
As shown in Figure 135, Ho st A and Host B connect to Switch A, the gateway, through Switch B. Host A 
has the IPv6 address 10::5 and MAC address 0001-0203-0405. Host B has the IPv6 address 10::6 and 
MAC address 0001-0203-0607.  
Enable ND detection on Switch B to filter out forged ND packets.  
Figure 135  Network diagram 
 
 
Configuration procedure 
1. Configuring Switch A:  
# Enable IPv6 forwarding. 
 system-view 
[SwitchA] ipv6 
# Create VLAN 10. 
[SwitchA] vlan 10 
[SwitchA-vlan10] quit 
# Assign port GigabitEthernet 1/0/3 to VLAN 10. 
[SwitchA] interface gigabitethernet 1/0/3 
[SwitchA- GigabitEthernet1/0/3] port link-type trunk 
[SwitchA- GigabitEthernet1/0/3] port trunk permit vlan 10 
[SwitchA- GigabitEthernet1/0/3] quit 
# Assign an IPv6 address to VLAN-interface 10. 
[SwitchA] interface vlan-interface 10 
10::5
0001-0203-0405
Switch A
Switch B
Host A Host B
GE1/0/3
Vlan-int10 
10::1
Gateway
GE1/0/1GE1/0/3
GE1/0/2
VLAN 10
ND snooping
10::6
0001-0203-0607
Internet
    Add page 2040 to Favourites
    image text
    Enable zoom 
    							 375 
[SwitchA-Vlan-interface10] ipv6 address 10::1/64 
[SwitchA-Vlan-interface10] quit 
2. Configuring Switch B: 
# Enable IPv6 forwarding. 
 system-view 
[SwitchB] ipv6 
# Create VLAN 10. 
[SwitchB] vlan 10 
[SwitchB-vlan10] quit 
# Add ports GigabitEthernet 1/0/1 throug h GigabitEthernet 1/0/3 to VLAN 10. 
[SwitchB] interface gigabitethernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] port access vlan 10 
[SwitchB-GigabitEthernet1/0/1] quit 
[SwitchB] interface gigabitethernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] port access vlan 10 
[SwitchB-GigabitEthernet1/0/2] quit 
[SwitchB] interface gigabitethernet 1/0/3 
[SwitchB-GigabitEthernet1/0/3] port link-type trunk 
[SwitchB-GigabitEthernet1/0/3] port trunk permit vlan 10 
[SwitchB-GigabitEthernet1/0/3] quit 
# Enable ND snooping for global unicast an d link local addresses in VLAN 10.  
[SwitchB] ipv6 nd snooping enable link-local 
[SwitchB] ipv6 nd snooping enable global 
[SwitchB] vlan 10 
[SwitchB-vlan 10] ipv6 nd snooping enable 
# Enable ND detection in VLAN 10.  
[SwitchB-vlan 10] ipv6 nd detection enable 
[SwitchB-vlan 10] quit 
# Configure the uplink port GigabitEthernet 1/0/3 as an ND-trusted port, and the downlink ports 
GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as ND-untrusted ports (the default).  
[SwitchB] interface gigabitethernet 1/0/3 
[SwitchB-GigabitEthernet1/0/3] ipv6 nd detection trust 
The configuration enables Switch B to check all  incoming ND packets of ports GigabitEthernet 
1/0/1 and GigabitEthernet 1/0/2 based on the ND snooping table.
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide